28
Integrate Cisco IronPort Email Security Appliance (ESA) Publication Date: January 4, 2017
Integrate Cisco IronPort Email Security Appliance (ESA)
Publication Date: January 4, 2017
1
Integrate Cisco IronPort (ESA)
Abstract This guide provides instructions to configure Cisco IronPort Email Security Appliance (ESA) to send the Syslog
events to EventTracker.
Scope The configurations detailed in this guide are consistent with EventTracker version 7.x and later, and Cisco
IronPort Email Security Appliance AsyncOS v8.0, v9.0 and v10.0.
Audience Cisco IronPort Email Security Appliance users, who wish to forward events to EventTracker Manager.
The information contained in this document represents the current view of EventTracker. on the
issues discussed as of the date of publication. Because EventTracker must respond to changing
market conditions, it should not be interpreted to be a commitment on the part of EventTracker,
and EventTracker cannot guarantee the accuracy of any information presented after the date of
publication.
This document is for informational purposes only. EventTracker MAKES NO WARRANTIES,
EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, this paper may be freely distributed without permission from
EventTracker, if its content is unaltered, nothing is added to the content and credit to
EventTracker is provided.
EventTracker may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from EventTracker, the furnishing of this document does not give you
any license to these patents, trademarks, copyrights, or other intellectual property.
The example companies, organizations, products, people and events depicted herein are fictitious.
No association with any real company, organization, product, person or event is intended or
should be inferred.
© 2017 EventTracker Security LLC. All rights reserved. The names of actual companies and
products mentioned herein may be the trademarks of their respective owners.
2
Integrate Cisco IronPort (ESA)
Table of Contents Abstract ................................................................................................................................................................. 1
Overview ................................................................................................................................................................ 3
Prerequisites .......................................................................................................................................................... 3
Send Cisco IronPort Email Security Appliance Logs to an EventTracker ............................................................... 3
EventTracker Knowledge Pack (KP) ....................................................................................................................... 5
Categories .......................................................................................................................................................... 5
Alerts ................................................................................................................................................................. 5
Flex Reports ....................................................................................................................................................... 6
Import Cisco IronPort ESA Knowledge Pack into EventTracker .......................................................................... 11
Category .......................................................................................................................................................... 12
Alerts ............................................................................................................................................................... 13
Tokens ............................................................................................................................................................. 14
Token Templates ............................................................................................................................................. 15
Flex Reports ..................................................................................................................................................... 16
Verify Cisco IronPort ESA knowledge pack in EventTracker ............................................................................... 17
Categories ........................................................................................................................................................ 17
Alerts ............................................................................................................................................................... 17
Tokens ............................................................................................................................................................. 18
Templates ........................................................................................................................................................ 19
Flex Reports ..................................................................................................................................................... 19
Create Flex Dashboards in EventTracker............................................................................................................. 20
Schedule Reports ............................................................................................................................................. 20
Create Dashlets ............................................................................................................................................... 22
Sample Flex Dashboards...................................................................................................................................... 25
3
Integrate Cisco IronPort (ESA)
Overview
Cisco IronPort Email Security Appliance provides security against antispam, antivirus, encryption, digital rights
management, and archiving technologies to halt. These solutions run on IronPort’s revolutionary MTA
platform, providing the highest levels of email protection, with exclusive preventive and reactive technologies
and industry leading email management tools.
Prerequisites
EventTracker v7.x or later should be installed.
Admin privileges for Cisco IronPort ESA is required
An exception should be added into windows firewall on EventTracker machine for syslog port 514.
Send Cisco IronPort Email Security Appliance Logs to an
EventTracker
1. Login to your Cisco IronPort user interface.
2. Select System Administration\Log Subscriptions.
3. Click Add Log Subscription.
Figure 1
4
Integrate Cisco IronPort (ESA)
4. Configure the following values:
Log Type - Define a log subscription. Choose the log file type for this subscription:
IronPort Text Mail Logs
Delivery Logs
Bounce Logs
Status Logs
Domain Debug Logs
Injection Debug Logs
System Logs
CLI Audit Logs
FTP Server Logs
HTTP Logs
NTP logs
LDAP Debug Logs
Anti-Virus Logs
Anti-Virus Archive
Scanning Logs
IronPort Spam Quarantine Logs
IronPort Spam Quarantine GUI Logs
Reporting Logs
Reporting Query Logs
Updater Logs
Log Name - Type a log name.
File Name - Use the default configuration value.
Maximum File Size - Use the default configuration value.
Log Level - Select Information (Default).
Retrieval Method - Select Syslog Push.
Hostname - Type the IP address or server name of your EventTracker Manager Machine
Protocol - Select UDP.
Facility - Use the default configuration value. This value depends on the configured Log Type.
5. Save the subscription.
5
Integrate Cisco IronPort (ESA)
EventTracker Knowledge Pack (KP) Once logs are received in to EventTracker, Alerts and Reports can be configured into EventTracker.
The following Knowledge Packs are available in EventTracker v7.x to support Cisco ESA monitoring:
Categories
Cisco IronPort ESA: Email bounced - This category provides information related to email bounced due
to delay.
Cisco IronPort ESA: User authentication failed - This category provides information related to user
authentication failure.
Cisco IronPort ESA: User authentication success - This category provides information related to user
authentication success.
Cisco IronPort ESA: FTP activity – This category provides information related to File Transfer protocol
activity.
Cisco IronPort ESA: System activity – This category provides information related to configuration
changes by the user.
Cisco IronPort ESA: HTTP activity – This category provides information related to HTTP activity.
Cisco IronPort ESA: File reputation – This category provides information related to File reputation
server initialization and response to the query received from the server.
Cisco IronPort ESA: CLI audit – This category provides information related commands entered for
particular CLI session.
Alerts
Cisco IronPort ESA: Email bounced - This alert is generated when email bounces due to delay from
Cisco IronPort ESA.
Cisco IronPort ESA: User authentication failed - This alert is generated when any user authentication
fails from Cisco IronPort ESA.
Cisco IronPort ESA: Inbound SMTP authentication failed – This alert is generated when SMTP
authentication attempts made during inbound connections are failed.
Cisco IronPort ESA: Outbound SMTP authentication failed – This alert is generated when SMTP
authentication attempts made during outbound connections are failed.
6
Integrate Cisco IronPort (ESA)
Flex Reports Cisco IronPort ESA: User authentication failed – This report provides the information about username who
attempted to log in to the appliance and got failed.
Figure 2
Logs Considered:
Figure 3
Cisco IronPort ESA: User authentication success-This report provides the information about username who
logged in successfully to the appliance.
Figure 4
Figure 5
Cisco IronPort ESA: Email bounced-This report provides the information about the email id which got
bounced.
Figure 6
7
Integrate Cisco IronPort (ESA)
Figure 7
Cisco IronPort ESA: HTTP activity-This report provides the information about username who accessed the
requested resources through HTTP method.
Figure 8
Figure 9
Cisco IronPort ESA: System activity-This report provides the information about configuration changed by the
admin.
Figure 10
Figure 21
8
Integrate Cisco IronPort (ESA)
Cisco IronPort ESA: CLI audit- This report provides the information about commands entered for the
particular CLI session and displays the CLI output.
Figure 32
Figure 43
Cisco IronPort ESA: FTP activity-This report provides the information about data uploaded, downloaded or
transferred over the FTP.
Figure 54
9
Integrate Cisco IronPort (ESA)
Logs Considered:
Figure 65
Cisco IronPort ESA: File reputation-This report provides the information about initialization of file reputation
query and response received for file reputation query from file reputation server.
Figure 76
Logs Considered:
Figure 87
10
Integrate Cisco IronPort (ESA)
Cisco IronPort ESA: Message scanning status- This report provides the information related to email
attachments being scanned by antivirus, anti-spam and set the behavior to drop, bounce or deliver.
Figure 98
Logs Considered:
NOTE: To gather more information about the events, perform Log Search using the regex
(Info\:\s+MID\s+).*|(Info\:\s+.*MID\s+).*|(Warning\:\s+MID).*
Figure 109
11
Integrate Cisco IronPort (ESA)
Import Cisco IronPort ESA Knowledge Pack into
EventTracker NOTE:
Import knowledge pack items in the following sequence
Categories
Alerts
Templates
Flex Reports
Export Knowledge pack items in the following sequence
Categories
Alerts
Templates
Flex Reports
1. Launch EventTracker Control Panel. 2. Double click Export Import Utility, and then click the Import tab.
Figure 20
3. Click Import tab.
12
Integrate Cisco IronPort (ESA)
Category
1. Click Category option, and then click the browse button.
Figure 21
2. Locate All Cisco IronPort ESA group of Categories.iscat file, and then click the Open button. 3. To import categories, click the Import button.
EventTracker displays success message.
Figure 22
4. Click OK, and then click the Close button.
13
Integrate Cisco IronPort (ESA)
Alerts
1. Click Alerts option, and then click the browse button.
2. Locate the All Cisco IronPort ESA group of alerts.isalt file, and then click the Open button.
Figure 23
3. To import alerts, click the Import button.
EventTracker displays success message.
Figure 24
4. Click OK, and then click the Close button.
14
Integrate Cisco IronPort (ESA)
Tokens
1. To import tokens, click Token value option, and then click the browse button.
Figure 25
2. Locate All Cisco IronPort ESA group of Tokens.istoken file, and then click the Open button. 3. Click the Import button.
EventTracker displays success message.
Figure 26
4. Click OK, and then click the Close button.
15
Integrate Cisco IronPort (ESA)
Token Templates 1. Select Parsing Rules from Admin drop-down. 2. Select Template tab.
3. Click ‘Import’ option and select Browse button.
Figure 27
4. Locate All Cisco IronPort ESA group of token templates.ettd file, and then click the UPLOAD button.
Figure 28
5. Now select the check box and then click on ‘Import’ option.
EventTracker displays success message.
Figure 29
6. Click OK, and then click the Close button.
16
Integrate Cisco IronPort (ESA)
Flex Reports
1. Click Reports option, and then click the browse button.
2. Locate the All Cisco IronPort ESA group of flex reports.issch file, and then click the Open button.
Figure 30
3. Click the Import button to import the scheduled reports. EventTracker displays success message.
Figure 31
4. Click OK, and then click the Close button.
17
Integrate Cisco IronPort (ESA)
Verify Cisco IronPort ESA knowledge pack in
EventTracker
Categories 1. Logon to EventTracker Enterprise. 2. Click the Admin menu, and then click Categories. 3. In the Category Tree, expand Cisco IronPort ESA group folder to view the imported categories.
Figure 32
Alerts 1. In the EventTracker Enterprise, web interface, click the Admin dropdown, and then click Alerts.
2. In the Search field, type ‘Cisco IronPort ESA', and then click Go button.
Alert Management page will display all the imported ‘Cisco IronPort ESA' alert.
Figure 33
18
Integrate Cisco IronPort (ESA)
3. To activate the imported alerts, select the respective checkbox in the Active column. EventTracker
displays message box.
Figure 34
4. Click OK, and then click the Activate Now button. NOTE: You can select alert notification such as Beep, Email, and Message etc. For this, select the respective checkbox in the Alert management page, and then click the Activate Now button.
Tokens 1. Logon to EventTracker Enterprise. 2. Click the Admin menu, and then click Parsing rule.
Imported Cisco IronPort ESA tokens added in Token-Value Groups list at left side of Parsing rule tab of EventTracker Enterprise.
Figure 35
19
Integrate Cisco IronPort (ESA)
Templates 1. Click the Admin menu, and then click Parsing rule.
2. Select Template tab, and then click on ‘Import’ option.
Figure 36
Flex Reports 1. In the EventTracker Enterprise, web interface, click the Reports menu, and then select Configuration.
2. In Reports Configuration pane, select Defined option.
3. In search box enter ‘Cisco IronPort ESA’, and then click the Search button.
EventTracker displays Flex reports of ‘Cisco IronPort ESA’.
Figure 37
20
Integrate Cisco IronPort (ESA)
Create Flex Dashboards in EventTracker NOTE: To configure the flex dashboards, schedule and generate the reports. Flex dashboard feature is
available from EventTracker Enterprise v8.0.
Schedule Reports 1. Open EventTracker in browser and logon.
Figure 38
2. Navigate to Reports>Configuration.
3. Select Cisco IronPort ESA in report groups. Check Defined dialog box.
Figure 39
21
Integrate Cisco IronPort (ESA)
4. Click on ‘schedule’ to plan a report for later execution.
Figure 40
Figure 41
5. Check column names to persist using PERSIST checkboxes beside them. Choose suitable Retention period.
22
Integrate Cisco IronPort (ESA)
6. Proceed to next step and click Schedule button. 7. Wait till the reports get generated.
Create Dashlets 1. Open EventTracker Enterprise in browser and logon.
Figure 42
2. Navigate to Dashboard>Flex. Flex Dashboard pane is shown.
Figure 43
3. Fill suitable title and description and click Save button.
4. Click to configure a new flex dashlet. Widget configuration pane is shown.
23
Integrate Cisco IronPort (ESA)
Figure 44
5. Locate earlier scheduled report in Data Source dropdown. 6. Select Chart Type from dropdown. 7. Select extent of data to be displayed in Duration dropdown. 8. Select computation type in Value Field Setting dropdown. 9. Select evaluation duration in As Of dropdown. 10. Select comparable values in X Axis with suitable label. 11. Select numeric values in Y Axis with suitable label. 12. Select comparable sequence in Legend. 13. Click Test button to evaluate. Evaluated chart is shown.
24
Integrate Cisco IronPort (ESA)
Figure 45
14. If satisfied, click Configure button.
Figure 46
15. Click ‘customize’ to locate and choose created dashlet.
16. Click to add dashlet to earlier created dashboard.
25
Integrate Cisco IronPort (ESA)
Sample Flex Dashboards For below dashboard DATA SOURCE: Cisco IronPort ESA-File reputation
1. Cisco IronPort ESA: File reputation
WIDGET TITLE: Cisco IronPort ESA File reputation
CHART TYPE: Stacked Column
AXIS LABELS [X-AXIS]: File Name
Label Text: Source IP
LEGEND [SERIES]: Disposition
Figure 47
26
Integrate Cisco IronPort (ESA)
2. Cisco IronPort ESA: HTTP activity
WIDGET TITLE: Cisco IronPort ESA HTTP activity
CHART TYPE: Stacked Column
AXIS LABELS [X-AXIS]: HTTP Method
Label Text: HTTP Method
LEGEND [SERIES]: Status Code
Figure 48
27
Integrate Cisco IronPort (ESA)
3. Cisco IronPort ESA: User authentication failed
WIDGET TITLE: Cisco IronPort ESA HTTP activity
CHART TYPE: Stacked Column
AXIS LABELS [X-AXIS]: User Name
Label Text: User Name
Figure 49
